U.S. patent application number 09/811551 was filed with the patent office on 2002-01-17 for extended key preparing apparatus, extended key preparing method, recording medium and computer program.
Invention is credited to Ito, Koichi, Shimoyama, Takeshi, Takenaka, Masahiko, Torii, Naoya, Yajima, Jun, Yanami, Hitoshi, Yokoyama, Kazuhiro.
Application Number | 20020006196 09/811551 |
Document ID | / |
Family ID | 18708401 |
Filed Date | 2002-01-17 |
United States Patent
Application |
20020006196 |
Kind Code |
A1 |
Shimoyama, Takeshi ; et
al. |
January 17, 2002 |
Extended key preparing apparatus, extended key preparing method,
recording medium and computer program
Abstract
Intermediate data a.sub.i, b.sub.i, c.sub.i, and d.sub.i are
prepared by an intermediate data preparing equipment 4 from a
cryptographic key through a nonlinear type function operation and
the like, an extended key preparing equipment 5 selects a
[X.sub.r], b [Y.sub.r], c [Z.sub.r], and d [W.sub.r] corresponding
to the number of stages r from the intermediate data, and
rearranges the data as well as conducts that of bit operation to
prepare extended keys, whereby an extended key preparing apparatus
by which an extended key required in the case where common key
cryptosystem is applied can be safely prepared at a high speed, a
process for preparing such an extended key, and a recording medium
used therefor are provided.
Inventors: |
Shimoyama, Takeshi;
(Kawasaki, JP) ; Ito, Koichi; (Kawasaki, JP)
; Takenaka, Masahiko; (Kawasaki, JP) ; Torii,
Naoya; (Kawasaki, JP) ; Yajima, Jun;
(Kawasaki, JP) ; Yanami, Hitoshi; (Kawasaki,
JP) ; Yokoyama, Kazuhiro; (Kawasaki, JP) |
Correspondence
Address: |
STAAS & HALSEY LLP
700 11TH STREET, NW
SUITE 500
WASHINGTON
DC
20001
US
|
Family ID: |
18708401 |
Appl. No.: |
09/811551 |
Filed: |
March 20, 2001 |
Current U.S.
Class: |
380/44 ;
380/277 |
Current CPC
Class: |
H04L 2209/12 20130101;
H04L 9/0625 20130101 |
Class at
Publication: |
380/44 ;
380/277 |
International
Class: |
H04L 009/00 |
Foreign Application Data
Date |
Code |
Application Number |
Jul 13, 2000 |
JP |
2000-212482 |
Claims
What is claimed is:
1. An extended key preparing apparatus wherein extended keys are
prepared in common key cryptosystem from a cryptographic key input,
comprising: a dividing unit which divides binary digit string of
said cryptographic key into a plurality of elements each composed
of a predetermined bit length; an intermediate data preparing unit
which prepares a plurality of intermediate data by applying a
plurality of times an operation wherein a predetermined constant is
used to the respective elements divided by said dividing unit; a
selecting unit which selects a plurality of intermediate data
corresponding to the number of stages of extended keys from the
plurality of the intermediate data prepared by said intermediate
data preparing unit; and an extended key preparing unit which
prepares the extended keys corresponding to said number of stages
by converting irreversibly the plurality of the intermediate data
selected by said selecting unit.
2. An extended key preparing apparatus according to claim 1 wherein
said intermediate data preparing unit is provided with a nonlinear
type operating unit for effecting nonlinear type operation with
respect to the respective elements divided by said dividing
unit.
3. An extended key preparing apparatus according to claim 2 wherein
said nonlinear type operating unit performs nonlinear type
operation in such a manner that when said cryptographic key is
divided into eight elements of 32 bits by said dividing unit, said
nonlinear type operating unit separates said elements into 6, 5, 5,
5, 5, and 6 bits to transpose the same into other data,
respectively, and the data after transposition are subjected to
nonlinear type operation by the use of a determinant.
4. An extended key preparing apparatus according to claim 2 wherein
said intermediate data preparing unit is provided with: an addition
unit which adds a constant to an odd number-th element that has
been subjected to nonlinear type operation; a multiplication unit
which multiplies an even number-th element which has been subjected
to nonlinear type operation by said constant; and an exclusive OR
operating unit which effects exclusive OR operation of said odd
number-th element to which has been added the constant and said
even number-th element which is succeeding to said odd number-th
and to which has been multiplied by said constant.
5. An extended key preparing apparatus according to claim 4,
comprising further a unit for preparing intermediate data by
subjecting nonlinear type operation to the result of said exclusive
OR operation of said odd number-th element and said even number-th
element which is succeeding to said odd number-th.
6. An extended key preparing apparatus according to claim 5 wherein
said addition unit and said multiplication unit repeat the
plurality of times additions and multiplications by the use of the
number i of different constants, respectively, to prepare the
number i of data in every elements; said exclusive OR operating
unit repeat i times operations for acquiring exclusive OR of the
odd number-th element and the even number-th element which have
been operated by the use of the same constants; and said preparing
unit prepare the number i of intermediate data in every
elements.
7. An extended key preparing apparatus according to claim 6 wherein
said selecting unit selects one intermediate data corresponding to
said number of stages of an extended key among the number i of
intermediate data contained in the respective elements which have
been prepared by said intermediate data preparing unit.
8. An extended key preparing apparatus according to claim 1 wherein
said extended key preparing unit is provided with: a rearrangement
unit which rearranges a plurality of intermediate data selected by
said selecting unit; and an irreversible conversion unit which
converts irreversibly the plurality of intermediate data that have
been rearranged by said rearrangement unit.
9. An extended key preparing apparatus according to claim 8 wherein
when intermediate data are rearranged in an order of elements X, Y,
Z, and W by said rearrangement unit, said irreversible converting
unit prepares a first data by adding the element Y to a data
obtained by shifting cyclically the element X leftwards by 1 bit;
prepares a second data determined by sifting cyclically the data
leftwards by further 1 bit, which data has been obtained by
subtracting the element W from a data obtained by shifting
cyclically said element Z leftwards by 1 bit; and operates
exclusive OR of said first data and said second data.
10. An extended key preparing apparatus according to claim 1
wherein said dividing unit divides a cryptographic key of 128 bits,
192 bits, or 256 bits into eight elements of 32 bits.
11. An extended key preparing method wherein extended keys are
prepared in common key cryptosystem from a cryptographic key input,
comprising the steps of, dividing binary digit string of said
cryptographic key into a plurality of elements each composed of a
predetermined bit length; preparing a plurality of intermediate
data by applying the plurality of times an operation wherein a
predetermined constant is used to the respective elements divided
by said dividing step; selecting a plurality of intermediate data
corresponding to the number of stages of extended keys from the
plurality of the intermediate data prepared by said intermediate
data preparing step; and preparing the extended keys corresponding
to said number of stages by converting irreversibly the plurality
of the intermediate data selected by said selecting step.
12. An extended key preparing method according to claim 11 wherein
said intermediate data preparing step involves a nonlinear type
operating step for effecting nonlinear type operation with respect
to the respective elements divided by said dividing step.
13. An extended key preparing method according to claim 12 wherein
said nonlinear type operating step performs nonlinear type
operation in such a manner that when said cryptographic key is
divided into eight elements of 32 bits by said dividing step, said
nonlinear type operating step separates said elements into 6, 5, 5,
5, 5, and 6 bits to transpose the same into other data,
respectively, and the data after transposition are subjected to
nonlinear type operation by the use of a determinant.
14. An extended key preparing method according to claim 12 wherein
said intermediate data preparing step involves: an addition step
for adding a constant to an odd number-th element that has been
subjected to nonlinear type operation; a multiplication step for
multiplying an even number-th element which has been subjected to
nonlinear type operation by said constant; and an exclusive OR
operating step for effecting exclusive OR operation of said odd
number-th element to which has been added the constant and said
even number-th element which is succeeding to said odd number-th
and to which has been multiplied by said constant.
15. An extended key preparing method according to claim 14,
comprising further a step for preparing intermediate data by
subjecting nonlinear type operation to the result of said exclusive
OR operation of said odd number-th element and said even number-th
element which is succeeding to said odd number-th.
16. An extended key preparing method according to claim 15 wherein
said addition step and said multiplication step repeat the
plurality of times additions and multiplications by the use of the
number i of different constants, respectively, to prepare the
number i of data in every elements; said exclusive OR operating
step repeat i times operations for acquiring exclusive OR of the
odd number-th element and the even number-th element which have
been operated by the use of the same constants; and said preparing
step prepare the number i of intermediate data in every
elements.
17. An extended key preparing method according to claim 16 wherein
said selecting step selects one intermediate data corresponding to
said number of stages of an extended key among the number i of
intermediate data contained in the respective elements which have
been prepared by said intermediate data preparing step.
18. An extended key preparing method according to claim 11 wherein
said extended key preparing step involves: a rearrangement step for
rearranging a plurality of intermediate data selected by said
selecting step; and an irreversible conversion step for converting
irreversibly the plurality of intermediate data that have been
rearranged by said rearrangement step.
19. An extended key preparing method according to claim 18 wherein
when intermediate data are rearranged in an order of elements X, Y,
Z, and W by said rearrangement step, said irreversible converting
step prepares a first data by adding the element Y to a data
obtained by shifting cyclically the element X leftwards by 1 bit;
prepares a second data determined by sifting cyclically the data
leftwards by further 1 bit, which data has been obtained by
subtracting the element W from a data obtained by shifting
cyclically said element Z leftwards by 1 bit; and operates
exclusive OR of said first data and said second data.
20. An extended key preparing method according to claim 11 wherein
said dividing step divides a cryptographic key of 128 bits, 192
bits, or 256 bits into eight elements of 32 bits.
21. A computer readable recording medium wherein an extended key
preparing program in which extended keys are prepared in common key
cryptosystem from a cryptographic key input is to be recorded,
comprising: recording the program containing a dividing step for
dividing binary digit string of said cryptographic key into a
plurality of elements each composed of a predetermined bit length;
an intermediate data preparing step for preparing a plurality of
intermediate data by applying the plurality of times an operation
wherein a predetermined constant is used to the respective elements
divided by said dividing step; a selecting step for selecting a
plurality of intermediate data corresponding to the number of
stages of extended keys from the plurality of the intermediate data
prepared by said intermediate data preparing step; and an extended
key preparing step for preparing the extended keys corresponding to
said number of stages by converting irreversibly the plurality of
the intermediate data selected by said selecting step.
22. An extended key preparing program in which extended keys are
prepared in common key cryptosystem from a cryptographic key input,
comprising: recording the program containing a dividing step for
dividing binary digit string of said cryptographic key into a
plurality of elements each composed of a predetermined bit length;
an intermediate data preparing step for preparing a plurality of
intermediate data by applying the plurality of times an operation
wherein a predetermined constant is used to the respective elements
divided by said dividing step; a selecting step for selecting a
plurality of intermediate data corresponding to the number of
stages of extended keys from the plurality of the intermediate data
prepared by said intermediate data preparing step; and an extended
key preparing step for preparing the extended keys corresponding to
said number of stages by converting irreversibly the plurality of
the intermediate data selected by said selecting step.
Description
FIELD OF THE INVENTION
[0001] The present invention relates to an extended key preparing
apparatus and method as well as to a recording medium and computer
program, and particularly to an extended key preparing apparatus by
which an extended key required in the case where common key
cryptosystem is applied can be safely prepared at a high speed, a
process for preparing such an extended key, and a recording medium
and computer program used therefor.
BACKGROUND OF THE INVENTION
[0002] Common key cryptosystem wherein a cryptographic key being
commonly used in both transmission and reception sides has been
heretofore known. FIG. 8 is an explanatory view for explaining
cryptographic processing in accordance with usual common key
cryptograph. As shown in FIG. 8, the cryptographic equipment is
composed of an extended key preparing means for preparing an
extended key for cryptographic key, and a cryptographic processing
means for encrypting a plaintext by the use of such extended
key.
[0003] More specifically, since n-stages of cryptographic
processing, i.e., cryptographic processing 1 to cryptographic
processing n are implemented in the cryptographic processing
equipment, extended key 1 to extended key n necessary for the
n-stages of cryptographic processing are successively prepared in
the extended key preparing means.
[0004] Accordingly, it is a very important problem in that a safe
extended key is how rapidly prepared by the extended key preparing
means in case of adopting common key cryptosystem.
[0005] In this connection, according to DES (Data Encryption
Standard) cryptograph, extended keys 1 to n are prepared from a
cryptographic key by means of only cyclical shifting and bit
transposition, whereby a preparation of extended keys is realized
at a high speed as shown in FIG. 9.
[0006] Furthermore, a process for preparing extended keys by means
of MARS has been known as a process for preparing safer extended
keys (a candidate cipher for AES, The First AES Conference, 1998,
pages 1-9).
[0007] According to the above described DES cryptograph, however,
an extended key is prepared by only cyclical shifting and bit
transposition as shown by a mark in FIG. 9, so that there are
problems in view of safety. More specifically, even if information
has been leaked as to one key among the number n of extended keys
prepared by extended key preparing equipment, a cryptographic key
itself to be input to extended key preparing equipment becomes
clear in this DES cryptosystem, whereby problems of safety
arise.
[0008] On the other hand, according to the above described MARS
extended key preparing apparatus, information of a cryptographic
key cannot be easily acquired from information of an extended key,
so that there is no problem as to safety like in DES cryptosystem.
However, another problem in such that many calculations must be
repeated in the process, whereby the operations require much time
arises.
[0009] From the matters described above, it has been a very
important problem that a safe extended key required in case of
applying common key cryptosystem is how rapidly prepared.
SUMMARY OF THE INVENTION
[0010] It is an object of the present invention to provide an
extended key preparing apparatus by which an extended key required
in the case where common key cryptosystem is applied can be safely
prepared at a high speed, a process for preparing such an extended
key, and a recording medium used therefor.
[0011] An extended key preparing apparatus of a first aspect
wherein extended keys are prepared in common key cryptosystem from
a cryptographic key input, comprises a dividing means for dividing
binary digit string of the cryptographic key into a plurality of
elements each composed of a predetermined bit length (corresponding
to the intermediate data preparing means 4 of FIG. 1); an
intermediate data preparing means for preparing a plurality of
intermediate data by applying a plurality of times an operation
wherein a predetermined constant is used to the respective elements
divided by the dividing means (corresponding to the intermediate
data preparing means 4 of FIG. 1); a selecting means for selecting
a plurality of intermediate data corresponding to the number of
stages of extended keys from the plurality of the intermediate data
prepared by the intermediate data preparing means (corresponding to
the extended key preparing means 5 of FIG. 1); and an extended key
preparing means for preparing the extended keys corresponding to
the number of stages by converting irreversibly the plurality of
the intermediate data selected by the selecting means
(corresponding to the extended key preparing means 5 of FIG.
1).
[0012] According to the invention of the first aspect, binary digit
string of the cryptographic key is divided into a plurality of
elements each composed of a predetermined bit length; a plurality
of intermediate data are prepared by applying the plurality of
times an operation wherein a predetermined constant is used to the
respective elements; a plurality of intermediate data corresponding
to the number of stages of extended keys are selected from the
plurality of the intermediate data prepared; and the extended keys
corresponding to the number of stages are prepared by converting
irreversibly the plurality of the intermediate data selected,
whereby such extended keys required in the case where common key
cryptosystem is applied can be safely prepared at a high speed.
[0013] Furthermore, an extended key preparing method of a eleventh
aspect wherein extended keys are prepared in common key
cryptosystem from a cryptographic key input, comprises a dividing
step for dividing binary digit string of the cryptographic key into
a plurality of elements each composed of a predetermined bit
length; an intermediate data preparing step for preparing a
plurality of intermediate data by applying the plurality of times
an operation wherein a predetermined constant is used to the
respective elements divided by the dividing step; a selecting step
for selecting a plurality of intermediate data corresponding to the
number of stages of extended keys from the plurality of the
intermediate data prepared by the intermediate data preparing step;
and an extended key preparing step for preparing the extended keys
corresponding to the number of stages by converting irreversibly
the plurality of the intermediate data selected by the selecting
step.
[0014] According to the invention of the eleventh aspect, binary
digit string of the cryptographic key is divided into a plurality
of elements each composed of a predetermined bit length; a
plurality of intermediate data are prepared by applying the
plurality of times an operation wherein a predetermined constant is
used to the respective elements; a plurality of intermediate data
corresponding to the number of stages of extended keys are selected
from the plurality of the intermediate data prepared; and the
extended keys corresponding to the number of stages are prepared by
converting irreversibly the plurality of the intermediate data
selected, whereby such extended keys required in the case where
common key cryptosystem is applied can be safely prepared at a high
speed.
[0015] Furthermore, a computer readable recording medium and
computer program of a twenty-first aspect wherein an extended key
preparing program in which extended keys are prepared in common key
cryptosystem from a cryptographic key input is to be recorded,
comprises recording the program containing a dividing step for
dividing binary digit string of the cryptographic key into a
plurality of elements each composed of a predetermined bit length;
an intermediate data preparing step for preparing a plurality of
intermediate data by applying the plurality of times an operation
wherein a predetermined constant is used to the respective elements
divided by the dividing step; a selecting step for selecting a
plurality of intermediate data corresponding to the number of
stages of extended keys from the plurality of the intermediate data
prepared by the intermediate data preparing step; and an extended
key preparing step for preparing the extended keys corresponding to
the number of stages by converting irreversibly the plurality of
the intermediate data selected by the selecting step.
[0016] According to the invention of the twenty-first aspect,
binary digit string of the cryptographic key is divided into a
plurality of elements each composed of a predetermined bit length;
a plurality of intermediate data are prepared by applying the
plurality of times an operation wherein a predetermined constant is
used to the respective elements; a plurality of intermediate data
corresponding to the number of stages of extended keys are selected
from the plurality of the intermediate data prepared; and the
extended keys corresponding to the number of stages are prepared by
converting irreversibly the plurality of the intermediate data
selected, whereby such extended keys required in the case where
common key cryptosystem is applied can be safely prepared at a high
speed.
[0017] Other objects and features of this invention will become
apparent from the following description with reference to the
accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
[0018] FIG. 1 is a block diagram showing the whole construction of
cryptographic equipment used in the present embodiment;
[0019] FIG. 2 is a flowchart illustrating processing steps for
preparing an extended key from a cryptographic key by means of the
extended key processing equipment shown in FIG. 1;
[0020] FIG. 3 is an explanatory diagram for explaining a concept
for preparing intermediate data by means of the intermediate data
preparing equipment shown in FIG. 1;
[0021] FIGS. 4(a) and 4(b) are explanatory diagrams each for
explaining a concept for preparing an extended key from the
intermediate data by means of the extended key preparing apparatus
shown in FIG. 1;
[0022] FIGS. 5(a), 5(b), and 5(c) are explanatory diagrams each for
explaining selection of data by means of the selected value
deciding equipment as well as rearrangement of data by means of the
data rearrangement processing equipment shown in FIGS. 4(a) and
4(b);
[0023] FIGS. 6(a), 6(b), and 6(c) are explanatory diagrams (No. 1)
each for explaining an example of operations for a nonlinear type
function conducted by the intermediate data preparing equipment
shown in FIG. 1;
[0024] FIGS. 7(d) and 7(e) are explanatory diagrams (No. 2) each
for explaining another example of operations for the nonlinear type
function conducted by the intermediate data preparing equipment
shown in FIG. 1;
[0025] FIG. 8 is an explanatory diagram for explaining
cryptographic processing by means of a usual common key
cryptography; and
[0026] FIG. 9 is a block diagram illustrating a conventional
algorithm based on DES cryptography.
DESCRIPTION OF THE PREFERRED EMBODIMENT
[0027] A preferred embodiment applied suitably for an extended key
preparing apparatus, an extended key preparing method, and a
recording medium according to the present invention will be
described in detail hereinafter by referring to the accompanying
drawings.
[0028] First, the whole construction of cryptographic equipment
used in the present embodiment will be described. FIG. 1 is a block
diagram illustrating the whole construction of the cryptographic
equipment 1 used in the present embodiment. As shown in FIG. 1 the
cryptographic equipment 1 is the one which prepares an extended key
1 to an extended key n from a cryptographic key in the case when a
plaintext or the cryptographic key is input, and encrypts the
plaintext by the use of the extended keys 1 to n prepared.
[0029] The cryptographic equipment 1 involves cryptographic
processing equipment 2 for effecting cryptographic processing of a
plaintext, and an extended key processing equipment 3 for preparing
extended keys 1 to n required for encryption in the cryptographic
processing equipment 2.
[0030] The cryptographic processing equipment 2 performs
cryptographic processing (1) to (n) of n-stages by the use of the
extended keys 1 to n to prepare a ciphertext corresponding to the
plaintext, and the resulting ciphertext is output. In the
cryptographic processing of n-stages (1) to (n), each cryptographic
processing is carried out after receiving the extended keys 1 to n
prepared in the extended key processing equipment 3, and the
ciphertext is output from the final stage wherein the cryptographic
processing (n) is carried out.
[0031] The extended key processing equipment 3 is the one for
preparing the extended keys 1 to n, which are to be supplied to the
cryptographic processing equipment 2 from a cryptographic key which
has been input, and which is provided with intermediate data
preparing equipment 4 and an extended key preparing equipment 5. It
is to be noted that the present embodiment of the invention is
characterized in that an extended key is prepared by such a manner
that an intermediate data is once prepared by means of the
intermediate data preparing equipment 4, and then the extended key
is prepared by the use of the intermediate data thus prepared,
unlike a conventional manner wherein an extended key is prepared
simply from a cryptographic key.
[0032] The intermediate data preparing equipment 4 is a processing
section for preparing intermediate data composed of respective
elements of a.sub.i, b.sub.i, c.sub.i, and d.sub.i (i=0, 1, and 2)
at the time when a cryptographic key is input. In the present
embodiment, an explanation is made on the case where intermediate
data a.sub.0 to a.sub.2, b.sub.0 to b.sub.2, C.sub.0 to c.sub.2,
and d.sub.0 to d.sub.2 are prepared in case of "i=0, 1, and 2" for
the convenience of explanation. While the detailed explanation will
be made later, intermediate data are prepared by means of nonlinear
type function, exclusive OR, addition, and multiplication in the
intermediate data preparing equipment 4.
[0033] The extended key preparing equipment 5 is a processing
section for preparing extended keys of the number corresponding to
the specified number r of stages from the intermediate data which
have been prepared by the intermediate data preparing equipment 4.
More specifically, one each of elements (for example, a.sub.1,
b.sub.0, c.sub.1, and d.sub.2) is selected from the respective
elements a.sub.0 to a.sub.2, b.sub.0 to b.sub.2, c.sub.0 to
c.sub.2, and d.sub.0 to d.sub.2, the respective elements thus
selected are rearranged, for example, in such that b.sub.0,
a.sub.1, d.sub.2, and c.sub.1, and a predetermined calculation is
made on the rearranged elements to prepare the extended keys 1 to
n.
[0034] Next, processing steps for preparing extended keys from a
cryptographic key by means of the extended key processing equipment
3 shown in FIG. 1 will be described hereinafter. In this
connection, FIG. 2 is a flowchart showing processing steps for
preparing extended keys from a cryptographic key by the use of the
extended key processing equipment 3 shown in FIG. 1.
[0035] As shown in FIG. 2, when a plaintext is input together with
a cryptographic key (user key) by a user (step S1), the
cryptographic key is incorporated into the intermediate preparing
equipment 4.
[0036] Thereafter, the intermediate processing equipment 4 divides
binary digit strings of the cryptographic key into data k.sub.0 to
k.sub.7 of eight groups, and an operation wherein the
undermentioned nonlinear type function M is applied is made upon
these data k.sub.0 to k.sub.7 to acquire data k.sub.0' to k.sub.7'
(step S2).
[0037] Then, a constant is added to each of even number-th data
k.sub.0', k.sub.2', k.sub.4', and k.sub.6' (step S3), while odd
number-th data k.sub.1', k.sub.3', k.sub.5', and k.sub.7' are
multiplied by the constant (step S4), thereafter exclusive OR
operation is implemented with respect to the even number-th data to
each of which was added the constant as well as to the odd
number-th data with each of which is multiplied by the constant
(step S5), and then, a nonlinear type function M is applied to the
results operated (step S6), whereby intermediate data a.sub.i to
d.sub.i are prepared. In this case, however, since the i takes
values of 0, 1, and 2, intermediate data a.sub.0 to a.sub.2,
b.sub.0 to b.sub.2, c.sub.0 to c.sub.2, and d.sub.0 to d.sub.2, are
obtained, in reality.
[0038] Thereafter, when the number r of stages of extended keys is
input (step S7), corresponding data are selected from the
intermediate data which have been already prepared (step S8),
whereby the selected data are transposed in accordance with the
number r (step S9). Then, irreversible conversion G is applied to
the intermediate data after the transposition (step S10) to output
an extended key of the r-th stage (step S11).
[0039] In the case when another extended key is required to be
prepared (step S12; YES), it shifts to the above described step S7,
and the same processing is repeated, while preparing process of
extended key is completed in the case when a preparation of
required extended keys was finished (step S12; NO).
[0040] As described above, when the processing in the above steps
S1 to S6 is carried out, the intermediate data of a.sub.i to
d.sub.i wherein i=0, 1, and 2 can be prepared. Furthermore, when
the processing in the steps S7 to S12 is implemented, extended keys
to which have been applied irreversible conversion can be prepared
at a high speed by the use of the intermediate data prepared in the
steps S1 to S6.
[0041] Next, a concept of preparing intermediate data by means of
the intermediate data preparing equipment 4 shown in FIG. 1 will be
described in more detail. In this connection, FIG. 3 is an
explanatory diagram for explaining the concept of preparing
intermediate data by means of the intermediate data preparing
equipment 4 shown in FIG. 1. In FIG. 3, symbols "k.sub.0 to
k.sub.7" designate binary digit strings which are obtained by
dividing bit strings of a cryptographic key into eight groups,
respectively, "M" is nonlinear type function operation, "+" means
addition of a constant, ".times." means multiplication of a
constant, and symbols "a.sub.i to d.sub.i" denote intermediate
data.
[0042] As shown in FIG. 3, the intermediate data preparing
equipment 4 divides binary digit strings of the cryptographic key
into data k.sub.0 to k.sub.7 of eight groups. For instance, when
the cryptographic key is composed of 128 (32.times.4) bits, the
initial 32 bits correspond to k.sub.0, the next 32 bits correspond
to k.sub.1, the following 32 bits are identified by k.sub.2, and
the further following 32 bits are identified as k.sub.3 wherein
there are the following relationships, i.e., k.sub.4=k.sub.0,
k.sub.5=k.sub.1, k.sub.6 =k.sub.2, and k.sub.7=k.sub.3,
respectively. Thus, 32 bits each of data k.sub.0 to k.sub.7 are
obtained.
[0043] Furthermore, when the cryptographic key is composed of 192
(32.times.6) bits, k.sub.0 to k.sub.5 are prepared wherein
relationships k.sub.6=k.sub.0, and k.sub.7=k.sub.1 are established.
Still further, when the cryptographic key is composed of 256
(32.times.8) bits, the cryptographic key is divided into 32 bits
each to obtain 32 bits each of data k.sub.0 to k.sub.7. According
to the manner described above, a cryptographic key may be divided
into 32 bits each of data k.sub.0 to k.sub.7, even if the
cryptographic key has any length of 128 bits, 192 bits or 256
bits.
[0044] Thus, as shown in FIG. 3, a nonlinear type function M is
applied to the respective data of k.sub.0 to k.sub.7 to obtain 32
bit data of k.sub.0' to k.sub.7' corresponding respectively to the
data k.sub.0 to k.sub.7. Then, a constant is added to even
number-th data k.sub.0', k.sub.2', k.sub.4', and k.sub.6',
respectively, while odd number-th data k.sub.1', k.sub.3.sup.1',
k.sub.5' and k.sub.7' are multiplied by the constant,
respectively.
[0045] Thereafter, exclusive OR operation is subjected to a bit
string of a even number-th data to which was added a constant
(e.g., k.sub.0' +M(4i)) and an odd number-th bit string to which
was multiplied by the constant (e.g., k.sub.1' .times.(i+1)),
respectively, and further the nonlinear type function M is applied
to these operated results to prepare intermediate data a.sub.i to
d.sub.i.
[0046] It is to be noted herein that constants used in the
above-described steps S4 to S6 are M(4i) and (i+1) as shown in FIG.
3 wherein i takes a value of 0, 1, or 2, whereby intermediate data
a.sub.0 to a.sub.2, b.sub.0 to b.sub.2, c.sub.0 to c.sub.2, and
d.sub.0 to d.sub.2 are obtained.
[0047] Next, a concept for preparing extended key from intermediate
data by means of the extended key preparing equipment 5 shown in
FIG. 1 will be described in more detail. In this connection, FIGS.
4(a) and 4(b) are explanatory diagrams each for explaining a
concept for preparing extended key from intermediate data by the
use of the extended key preparing equipment 5 shown in FIG. 1.
[0048] As shown in FIG. 4(a), the extended key preparing equipment
5 is provided with a selector value deciding device, selectors, a
data rearrangement processing device, and a G (X, Y, Z, W)
calculating device. The selected value deciding device is a one for
deciding xr, yr, zr, and wr indicating respective elements a, b, c,
and d to be selected from among the respective intermediate data
a.sub.i, b.sub.i, c.sub.i, and d.sub.i (i=0, 1, or 2) based on the
number of stages r of an extended key to be prepared.
[0049] A selector selects intermediate data a(X.sub.r) b(y.sub.r)
c(Z.sub.r), and d(W.sub.r), respectively, in accordance with the
x.sub.r, y.sub.r, Z.sub.r, and w.sub.r decided by the selector
value deciding device.
[0050] The data rearrangement processing device rearranges
(transposes) the data a(X.sub.r), b(Y.sub.r), c(Z.sub.r), and
d(W.sub.r) based on the number of stages r. More specifically,
transpositions corresponding to the number of stages r are
implemented as shown in FIG. 5(c), which will be described
hereinafter.
[0051] The G(X, Y, Z, W, and r) calculating device prepares an
extended key E.sub.xKey.sub.r based on the data (X, Y, Z, and W)
after the rearrangement. The construction of the G(X, Y, Z, W, and
r) calculating device is as shown in FIG. 4(b). In the same figure,
a representation "<<<1" means 1 bit leftward cyclical
shifting for shifting bit string of data cyclically leftwards by 1
bit, "+" means addition of two data, "-" means for subtracting a
certain data from another data, and "{circumflex over (+)}" means
exclusive OR.
[0052] In the following, procedure steps for preparing an extended
key by means of the extended key preparing equipment 5 will be
described. As shown in FIG. 4(a), when the number of stages r is
input, the corresponding data are selected from among intermediate
data, and the data selected are transposed in accordance with the
number r. More specifically, one data is selected in every elements
in such a manner that a.sub.1 is selected from among a.sub.0 to
a.sub.2, while b.sub.0 is selected from among b.sub.0 to
b.sub.2.
[0053] For instance, when "a.sub.1, b.sub.0, c.sub.1, and d.sub.2"
are selected, they are transposed into "b.sub.0, a.sub.1, d.sub.2,
and c.sub.1" wherein X=b.sub.0, Y=a.sub.1, Z=d.sub.2, and
W=c.sub.1, respectively, in the case shown in FIG. 4.
[0054] Then, irreversible conversion is applied the irreversible
conversion G to the intermediate data after the transposition
thereof to output an extended key in the r-th stage. More
specifically, the data X is sifted cyclically leftwards by 1 bit,
it is added to the data Y, besides the data Z is shifted cyclically
leftwards by 1 bit, and the data W is subtracted there from whereby
it is cyclically shifted leftwards by 1 bit. Then, results of the
both data were subjected to exclusive OR operation to produce the
extended key r in the r-th stage.
[0055] Next, selection of data by means of the selected value
deciding equipment as well as rearrangement of data by means of the
data rearrangement processing equipment shown in FIG. 4(a) will be
described in more detail. In this connection, FIGS. 5(a), 5(b), and
5(c) are explanatory diagrams for each explaining the selection of
data by means of the selected value deciding equipment as well as
the rearrangement of data by means of the data rearrangement
processing equipment shown in FIG. 4(a).
[0056] FIG. 5(a) expresses equations (1), which is applied at the
time when intermediate data to be selected is selected by the
selected value deciding equipment, and they are as follows:
X.sub.r=Z.sub.r=r mod 3
y.sub.r=w.sub.r=r+[r/3]mod 3
[0057] as expressed in equations (1).
[0058] FIG. 5(b) is a diagram illustrating schematically the
equations (1) shown in FIG. 5(a) wherein numerical values
corresponding to that, which are to be selected from one of three
numbers of 0, 1, and 2 are indicated in the case where the number
of stages is r, and a group composed of nine numbers are
cycled.
[0059] When a value corresponding to the number of stages r (one of
three numbers i=0, 1, and 2) is decided in accordance with FIG.
5(a) or FIG. 5(b), (X.sub.r, Y.sub.r, Z.sub.r, and W.sub.r)
corresponding to the number of stages r can be selected from the
number i each of intermediate data shown in FIG. 4(a).
[0060] FIG. 5(c) shows an order table that is used in the case
where rearrangement is implemented by means of the data
rearrangement processing equipment. This order table functions to
decide an order in the case where the intermediate data (X.sub.r,
Y.sub.r, Z.sub.r, and W.sub.r) of the number of stages r selected
in FIG. 5(a) or FIG. 5(b) are rearranged (replaced). More
specifically, rearrangement is carried out in accordance with the
order table wherein the number of stages r on the left side are
allowed to correspond to orders for rearrangement on the right side
in the figure.
[0061] For instance, when "a.sub.1, b.sub.0, c.sub.1, and d.sub.2"
are selected, it becomes "a.sub.1, b.sub.0, c.sub.1, and d.sub.2"
in the case where the number of stages is 0, it comes to be
"b.sub.0, a.sub.1, d.sub.2, and c.sub.1" in the case where the
number of stages is 1, and further it becomes "d.sub.2, c.sub.1,
b.sub.0, and a.sub.1" in the case where the number of stages is
2.
[0062] Next, an example of nonlinear type function operation
performed by the intermediate data preparing equipment 4 shown in
FIG. 1 will be described. It is to be noted that the present
invention is not limited to this nonlinear type operation, but a
variety of nonlinear type operations may also be applied. FIGS.
6(a), 6(b), and 6(c) as well as FIGS. 7(d) and 7(e) are explanatory
diagrams for each explaining an example of nonlinear type function
operation carried out by the intermediate data preparing equipment
4 shown in FIG. 1.
[0063] FIG. 6(a) illustrates an example of the whole construction
of operation for the nonlinear type function M wherein a case where
the nonlinear type function M is operated by applying a user key
(cryptographic key) m of 32 bits to prepare a result w of 32 bits
is shown.
[0064] As illustrated, a user key of 32 bits is divided herein into
m.sub.0, m.sub.1, m.sub.2, m.sub.3, m.sub.4, and m.sub.5 of 6, 5,
5, 5, 5, and 6 bits, respectively. Then, values x are converted
into those of S5 (x) as to m.sub.1, m.sub.2, m.sub.3, and m.sub.4
which are divided into 5 bits, respectively, in accordance with the
table of S5 (x) shown in FIG. 6(b).
[0065] Likewise, values of x are converted into values of S6 (x) as
to m.sub.0, and m.sub.6 divided in 6 bits, respectively, in
accordance with S6 (x) shown in FIG. 6(c), whereby data v shown in
FIG. 6(a) is prepared.
[0066] Thereafter, values of MDS (x) shown in FIG. 7(d) are placed
at respective positions of a determinant shown in FIG. 7(e),
besides data v are also disposed in the determinant concerning the
determinant shown in FIG. 7(e), and both the values are subjected
to matrix computation to calculate values w. Thus, results
(operation results of nonlinear type function M) by means of an XOR
calculating device wherein the MDS of FIG. 6(a) is used are
obtained.
[0067] Next, processing in the first stage for preparing
intermediate data from a cryptographic key which has been already
explained as well as processing in the second stage for preparing
extended keys of the number of stages r assigned by the
intermediate data will be described by the use of mathematical
models and signs.
[0068] (1) Processing in the first stage (processing for preparing
intermediate data from a cryptographic key):
[0069] (1-1) A cryptographic key of 256 bits is divided into eight
data k.sub.0, k.sub.1, . . . , k.sub.7 in every 32 bits (see FIG.
3).
[0070] (1-2) Intermediate data a.sub.i, b.sub.i, c.sub.i, and
d.sub.i (i=0, 1, 2) are prepared in accordance with calculations of
the following paragraphs (1-3) to (1-6) by utilizing nonlinear type
function M to which is input data of 32 bits that was divided in
the paragraph (1-1), while which outputs the data of 32 bit (see
FIG. 3). Furthermore, process steps (3-1) to (3-6) are executed
with respect to the nonlinear type function M.
[0071] (1-3) a.sub.i=M (Ta (k.sub.0, i) XOR Ua (k.sub.1, i) wherein
Ta (k.sub.0, i)=M (k.sub.0)+M (4i), Ua (k.sub.1, i)=M
(k.sub.1).times.(i+1) is calculated. XOR represents an exclusive OR
operation.
[0072] (1-4) b.sub.i=M (Tb (k.sub.2, i) XOR Ub (k.sub.3, i) wherein
Tb (k.sub.3, i)=M (k.sub.2)+M (4i+1), Ub (k.sub.3, i)=M
(k.sub.3).times.(i+1) is calculated.
[0073] (1-5) c.sub.i=M (Tc (k.sub.4, i) XOR Uc (k.sub.5, i) wherein
Tc (k.sub.4, i)=M (k.sub.4)+M (4i+2), Uc (k.sub.5, i)=M
(k.sub.5).times.(i+1) is calculated.
[0074] (1-6) d.sub.i=(Td (k.sub.6, i) XOR Ud (k.sub.7, 1) ) wherein
Td (k.sub.6, i)=M (k.sub.6)+M (4i+3), Ud (k.sub.7, i)=M
(k.sub.7).times.(i+1) is calculated.
[0075] (2) Processing in the second stage (processing for preparing
extended keys of the number of stages r from intermediate
data):
[0076] (2-1) Calculation is made with respect to extended keys
E.sub.xKey.sub.r of the number of stages r (r=0, 1, and 2) in
accordance with the following paragraphs (2-2) to (2-4) (see FIG.
4(a)).
[0077] (2-2) A progression X, Y, Z, W represented by Xr=Zr=r mod 3,
Yr=Wr=r+[r/3] mod 3 (Equation (1)) is used to obtain (X, Y, Z,
W)=(a (Xr), b (Yr), c (Zr), d (Wr))
[0078] (2-3) Data rearrangement represented by (X, Y, Z, W)
=ORDER_12 (X, Y, Z, W, r' ) wherein ORDER_12 (X, Y, Z, W, r') is
the one shown in FIG. 5(c) is made with respect to r' satisfying
r'= (r+[r/36]) mod 12.
[0079] (2-4) Extended keys of the number of stages r are calculated
by means of E.sub.xKey.sub.r=G (X, Y, Z, W) wherein G (X, Y, Z,
W)=((x<<<1) +Y) XOR (((Z<<<1) -W) <<<1),
and <<<1 indicates 1 bit leftward cyclical shifting (see
FIG. 4(b)).
[0080] (3) Operation processing of nonlinear type function M:
[0081] (3-1) In accordance with the following paragraphs (3-2) to
(3-6), result w of 32 bits is output from input m of 32 bits (see
FIG. 6(a)).
[0082] (3-2) The input m is bit-divided to acquire values m.sub.0,
. . . , m.sub.5 in the following forms:
[0083] m.sub.0=(the 5th bit from the 0th bit of m)
[0084] m.sub.1=(the 10th bit from the 6th bit of m)
[0085] m.sub.2=(the 15th bit from the 61th bit of m)
[0086] m.sub.3=(the 20th bit from the 16th bit of m)
[0087] m.sub.4=(the 25th bit from the 21st bit of m)
[0088] m.sub.5=(the 31st bit from the 26th bit of m)
[0089] (3-3) A nonlinear type transformation function S.sub.5 which
outputs 5 bits in respect of input of 5 bits as well as a nonlinear
type conversion function S.sub.6 which outputs 6 bits in respect of
input of 6 bits wherein S.sub.5 and S.sub.6 are those shown in
FIGS. 6(b) and 6(c), respectively, are used to acquire the
following results:
[0090] s.sub.0=S.sub.6 (m.sub.0)
[0091] s.sub.1=S.sub.5 (m.sub.1)
[0092] s.sub.2=S.sub.5 (m.sub.2)
[0093] s.sub.3=S.sub.5 (m.sub.3)
[0094] s.sub.4=S.sub.5 (m.sub.4)
[0095] s.sub.5=S.sub.6 (m.sub.5)
[0096] (3-4) An equation v=s0
.vertline.s1.vertline.s2.vertline.s3.vertlin- e.s4.vertline.s5
wherein ".vertline." represents link of bit values is
calculated.
[0097] (3-5) An equation w=(v0.times.MDS (0)) XOR (v1.times.MDS
(1)) XOR . . . XOR (v 31.times.MDS (31)) wherein vi.times.MDS (i)
is 0 in case of vi=0, while it is MDS (i) in case of vi =1, by
means of the conversion table MDS which is output 32 bits from the
bit value vi that is the i-th v and the input of 5 bits, and MDS is
the one shown in FIG. 7(d) is calculated.
[0098] (3-6) The system outputs w.
[0099] As mentioned above, the present embodiment is constructed in
such that intermediate data a.sub.i, b.sub.i, c.sub.i, and d.sub.i
are prepared by the intermediate data preparing equipment 4 from a
cryptographic key through a nonlinear type function operation and
the like, the extended key preparing equipment 5 selects a [Xr], b
[Yr], c [Zr], and d [Wr] corresponding to the number of stages r
from the intermediate data, and rearranges the data as well as
implements that of bit operation to prepare extended keys. As a
result, safe extended keys can be prepared from a cryptographic key
at a high speed.
[0100] More specifically, the present invention has such a
construction in that intermediate data are prepared from a
cryptographic key in the first stage, arbitrary data are selected
from the intermediate data to effect irreversible conversion in the
second stage, whereby extended keys of an arbitrary number of
extended keys are prepared. Thus, it becomes possible to prepare
the extended keys at a high speed through irreversible conversion,
whereby safety in common key system can be elevated.
[0101] As a result, the present invention provides the following
advantages.
[0102] (1) For instance, although a significant period of time is
required for preparing one intermediate data, the number of
intermediate data required can be reduced by the extended key
preparing equipment 5, whereby extended keys each having high
safety can be prepared at a high speed.
[0103] (2) In the case where only extended keys, which will be
required are prepared on the course of processing for encryption or
decryption without storing all of extended keys E.sub.xKey.sub.0,
E.sub.xKey.sub.1, . . . , E.sub.xKey.sub.n-1 prepared, only the
extended keys which correspond to the number of stages r assigned
can be prepared at a high speed.
[0104] Further explanation will be made in this respect, in a
common key cryptosystem, in general, when extended keys are used in
an order of E.sub.xKey.sub.0, E.sub.xKey.sub.1, . . . ,
E.sub.xKey.sub.n-1 in encryption, the extended keys are employed in
the reverse order of that in the encryption in such order of
E.sub.xKey.sub.n-1, . . . , E.sub.xKey.sub.1, E.sub.xKey.sub.0 in
decryption. In this case, when successive preparation is made in
accordance with an extended key preparing apparatus wherein a value
of E.sub.xKey.sub.0 is required for preparing E.sub.xKey.sub.1,
(see FIG. 9 mentioned already), E.sub.xKey.sub.1, cannot be
directly prepared, but E.sub.xKey.sub.0 is previously prepared, and
then E.sub.xKey.sub.1, is prepared by the use of the former
E.sub.xKey.sub.0. Accordingly, a period of time for preparing an
extended key in decryption is longer than that of the encryption by
an amount corresponding to the time as explained above.
[0105] On the other hand, since extended keys can be prepared by
assigning an arbitrary number of stages r independent from the
other extended keys in the present embodiment, the same period of
time is required in both of a case where extended keys are prepared
in an order of E.sub.xKey.sub.0, E.sub.xKey.sub.1, . . . ,
E.sub.xKey.sub.n-1 and a case where extended keys are prepared in
an order of E.sub.xKey.sub.n-1, . . . , E.sub.xKey.sub.1,
E.sub.xKey.sub.0.
[0106] As described above, the present embodiment according to the
invention exhibits such a remarkable advantage that even if
extended keys are prepared successively, periods of time for
processing encryption and decryption can make equal to each other,
whereby an appearance of a longer period of time for preparing
extended keys in decryption than that of encryption can be
avoided.
[0107] While only the case where i=0, 1, and 2 has been described
in the present embodiment for the convenience of explanation, the
present invention is not limited thereto, but it is also applicable
for the case where i is 3 or more. Furthermore, although an example
of nonlinear type function operation has been described herein, the
invention is not limited thereto, but other one way functions such
as so-called hash function and the like are applicable.
[0108] As described above, according to the invention claimed in
the first aspect, binary digit string of the cryptographic key is
divided into a plurality of elements each composed of a
predetermined bit length; a plurality of intermediate data are
prepared by applying the plurality of times an operation wherein a
predetermined constant is used to the respective elements; a
plurality of intermediate data corresponding to the number of
stages of extended keys are selected from the plurality of the
intermediate data prepared; and the extended keys corresponding to
the number of stages are prepared by converting irreversibly the
plurality of the intermediate data selected, whereby there is an
advantage to provide an extended key preparing apparatus by which
such extended keys required in the case where common key
cryptosystem is applied can be safely prepared at a high speed.
[0109] According to the invention claimed in the second aspect,
nonlinear type operation is effected with respect to the respective
elements divided, whereby there is an advantage to provide an
extended key preparing apparatus by which bits forming a
cryptographic key are diffused, so that safety in cryptograph can
be much more increased.
[0110] According to the invention claimed in the third aspect, when
the cryptographic key is divided into eight elements of 32 bits,
the nonlinear type operating means separates the elements into 6,
5, 5, 5, 5, and 6 bits to transpose the same into other data,
respectively, and the data after transposition are subjected to
nonlinear type operation by the use of a determinant, whereby there
is an advantage to provide an extended key preparing apparatus by
which nonlinear type operation can be efficiently carried out at a
high speed.
[0111] According to the invention claimed in the fourth aspect, a
constant is added to an odd number-th element which has been
subjected to nonlinear type operation; besides an even number-th
element which has been subjected to nonlinear type operation is
multiplied by the constant; and exclusive OR operation of both the
odd number-th element and the even number-th element is effected,
whereby there is an advantage to provide an extended key preparing
apparatus by which intermediate data can be efficiently
prepared.
[0112] According to the invention claimed in the fifth aspect, the
result of the exclusive OR operation is subjected to nonlinear type
operation to prepare intermediate data, whereby there is an
advantage to provide an extended key preparing apparatus by which
bits forming the result of the exclusive OR operation are further
diffused, so that safety in cryptograph can be much more
improved.
[0113] According to the invention claimed in the sixth aspect, the
plurality of times of additions and multiplications are repeated
with the use of the number i of different constants, respectively,
to prepare the number i of data in every elements; i times of
operations for acquiring exclusive OR of the odd number-th element
and the even number-th element which have been operated by the use
of the same constants are repeated; and the number i of
intermediate data are prepared in every elements, whereby there is
an advantage to provide an extended key preparing apparatus by
which a plurality of intermediate data can be prepared in every
respective elements by a simple procedure.
[0114] According to the invention claimed in the seventh aspect,
one intermediate data corresponding to the number of stages of an
extended key is selected among the number i of intermediate data
contained in the respective elements prepared, whereby there is an
advantage to provide an extended key preparing apparatus by which
independency of a certain extended key can be maintained with
respect to the other keys.
[0115] According to the invention claimed in the eighth aspect, a
plurality of intermediate data selected are rearranged; and the
plurality of intermediate data which have been rearranged are
converted irreversibly, whereby there is an advantage to provide an
extended key preparing apparatus by which unidirectional property
of a certain cryptographic key towards extended keys can be
maintained, so that even if a certain extended key leaks out, the
cryptographic key can be held in secret.
[0116] According to the invention claimed in the ninth aspect, when
intermediate data are rearranged in an order of elements X, Y, Z,
and W by the rearrangement means, a first data is prepared by
adding the element Y to a data obtained by shifting cyclically the
element X leftwards by 1 bit; a second data is prepared by sifting
cyclically the data leftwards by further 1 bit, which data has been
obtained by subtracting the element W from a data obtained by
shifting cyclically the element Z leftwards by 1 bit; and exclusive
OR of the first data and the second data is operated, whereby there
is an advantage to provide an extended key preparing apparatus by
which irreversible conversion can be efficiently implemented at a
high speed.
[0117] According to the invention claimed in the tenth aspect, a
cryptographic key of 128 bits, 192 bits, or 256 bits is divided
into eight elements of 32 bits, whereby there is an advantage to
provide an extended key preparing apparatus by which the extended
key can be prepared by using the same logic, even if the number of
bits input differs in extended key.
[0118] According to the invention claimed in the eleventh aspect,
binary digit string of the cryptographic key is divided into a
plurality of elements each composed of a predetermined bit length;
a plurality of intermediate data are prepared by applying the
plurality of times an operation wherein a predetermined constant is
used to the respective elements; a plurality of intermediate data
corresponding to the number of stages of extended keys are selected
from the plurality of the intermediate data prepared; and the
extended keys corresponding to the number of stages are prepared by
converting irreversibly the plurality of the intermediate data
selected, whereby there is an advantage to provide an extended key
preparing method by which such extended keys required in the case
where common key cryptosystem is applied can be safely prepared at
a high speed.
[0119] According to the invention claimed in the twelfth aspect,
nonlinear type operation is effected with respect to the respective
elements divided, whereby there is an advantage to provide an
extended key preparing method by which bits forming a cryptographic
key are diffused, so that safety in cryptograph can be much more
increased.
[0120] According to the invention claimed in the thirteenth aspect,
when the cryptographic key is divided into eight elements of 32
bits, the nonlinear type operating means separates the elements
into 6, 5, 5, 5, 5, and 6 bits to transpose the same into other
data, respectively, and the data after transposition are subjected
to nonlinear type operation by the use of a determinant, whereby
there is an advantage to provide an extended key preparing method
by which nonlinear type operation can be efficiently carried out at
a high speed.
[0121] According to the invention claimed in the fourteenth aspect,
a constant is added to an odd number-th element which has been
subjected to nonlinear type operation; besides an even number-th
element which has been subjected to nonlinear type operation is
multiplied by the constant; and exclusive OR operation of both the
odd number-th element and the even number-th element is effected,
whereby there is an advantage to provide an extended key preparing
method by which intermediate data can be efficiently prepared.
[0122] According to the invention claimed in the fifteenth aspect,
the result of the exclusive OR operation is subjected to nonlinear
type operation to prepare intermediate data, whereby there is an
advantage to provide an extended key preparing method by which bits
forming the result of the exclusive OR operation are further
diffused, so that safety in cryptograph can be much more
improved.
[0123] According to the invention claimed in the sixteenth aspect,
the plurality of times of additions and multiplications are
repeated with the use of the number i of different constants,
respectively, to prepare the number i of data in every elements; i
times of operations for acquiring exclusive OR of the odd number-th
element and the even number-th element which have been operated by
the use of the same constants are repeated; and the number i of
intermediate data are prepared in every elements, whereby there is
an advantage to provide an extended key preparing method by which a
plurality of intermediate data can be prepared in every respective
elements by a simple procedure.
[0124] According to the invention claimed in the seventeenth
aspect, one intermediate data corresponding to the number of stages
of an extended key is selected among the number i of intermediate
data contained in the respective elements prepared, whereby there
is an advantage to provide an extended key preparing method by
which independency of a certain extended key can be maintained with
respect to the other keys.
[0125] According to the invention claimed in the eighteenth aspect,
a plurality of intermediate data selected are rearranged; and the
plurality of intermediate data which have been rearranged are
converted irreversibly, whereby there is an advantage to provide an
extended key preparing method by which unidirectional property of a
certain cryptographic key towards extended keys can be maintained,
so that even if a certain extended key leaks out, the cryptographic
key can be held in secret.
[0126] According to the invention claimed in the nineteenth aspect,
when intermediate data are rearranged in an order of elements X, Y,
Z, and W by the rearrangement means, a first data is prepared by
adding the element Y to a data obtained by shifting cyclically the
element X leftwards by 1 bit; a second data is prepared by sifting
cyclically the data leftwards by further 1 bit, which data has been
obtained by subtracting the element W from a data obtained by
shifting cyclically the element Z leftwards by 1 bit; and exclusive
OR of the first data and the second data is operated, whereby there
is an advantage to provide an extended key preparing method by
which irreversible conversion can be efficiently implemented at a
high speed.
[0127] According to the invention claimed in the twentieth aspect,
a cryptographic key of 128 bits, 192 bits, or 256 bits is divided
into eight elements of 32 bits, whereby there is an advantage to
provide an extended key preparing method by which the extended key
can be prepared by using the same logic, even if the number of bits
input differs in extended key.
[0128] According to the invention claimed the twenty-first aspect,
binary digit string of the cryptographic key is divided into a
plurality of elements each composed of a predetermined bit length;
a plurality of intermediate data are prepared by applying the
plurality of times an operation wherein a predetermined constant is
used to the respective elements; a plurality of intermediate data
corresponding to the number of stages of extended keys are selected
from the plurality of the intermediate data prepared; and the
extended keys corresponding to the number of stages are prepared by
converting irreversibly the plurality of the intermediate data
selected, whereby there is an advantage to provide a computer
readable recording medium by which such extended keys required in
the case where common key cryptosystem is applied can be safely
prepared at a high speed.
[0129] Although the invention has been described with respect to a
specific embodiment for a complete and clear disclosure, the
appended claims are not to be thus limited but are to be construed
as embodying all modifications and alternative constructions that
may occur to one skilled in the art which fairly fall within the
basic teaching herein set forth.
* * * * *